Class: AWSCDK::NetworkFirewall::CfnTLSInspectionConfiguration::ServerCertificateConfigurationProperty

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
network_firewall/cfn_tls_inspection_configuration.rb

Overview

Configures the Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a TLSInspectionConfiguration . You can configure ServerCertificates for inbound SSL/TLS inspection, a CertificateAuthorityArn for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see Using SSL/TLS server certficiates with TLS inspection configurations in the AWS Network Firewall Developer Guide .

If a server certificate that's associated with your TLSInspectionConfiguration is revoked, deleted, or expired it can result in client-side TLS errors.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(certificate_authority_arn: nil, check_certificate_revocation_status: nil, scopes: nil, server_certificates: nil) ⇒ ServerCertificateConfigurationProperty

Returns a new instance of ServerCertificateConfigurationProperty.

Parameters:



724
725
726
727
728
729
730
731
732
733
# File 'network_firewall/cfn_tls_inspection_configuration.rb', line 724

def initialize(certificate_authority_arn: nil, check_certificate_revocation_status: nil, scopes: nil, server_certificates: nil)
  @certificate_authority_arn = certificate_authority_arn
  Jsii::Type.check_type(@certificate_authority_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "certificateAuthorityArn") unless @certificate_authority_arn.nil?
  @check_certificate_revocation_status = check_certificate_revocation_status.is_a?(Hash) ? ::AWSCDK::NetworkFirewall::CfnTLSInspectionConfiguration::CheckCertificateRevocationStatusProperty.new(**check_certificate_revocation_status.transform_keys(&:to_sym)) : check_certificate_revocation_status
  Jsii::Type.check_type(@check_certificate_revocation_status, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c19uZXR3b3JrZmlyZXdhbGwuQ2ZuVExTSW5zcGVjdGlvbkNvbmZpZ3VyYXRpb24uQ2hlY2tDZXJ0aWZpY2F0ZVJldm9jYXRpb25TdGF0dXNQcm9wZXJ0eSJ9XX19")), "checkCertificateRevocationStatus") unless @check_certificate_revocation_status.nil?
  @scopes = scopes
  Jsii::Type.check_type(@scopes, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmblRMU0luc3BlY3Rpb25Db25maWd1cmF0aW9uLlNlcnZlckNlcnRpZmljYXRlU2NvcGVQcm9wZXJ0eSJ9XX19LCJraW5kIjoiYXJyYXkifX1dfX0=")), "scopes") unless @scopes.nil?
  @server_certificates = server_certificates
  Jsii::Type.check_type(@server_certificates, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmblRMU0luc3BlY3Rpb25Db25maWd1cmF0aW9uLlNlcnZlckNlcnRpZmljYXRlUHJvcGVydHkifV19fSwia2luZCI6ImFycmF5In19XX19")), "serverCertificates") unless @server_certificates.nil?
end

Instance Attribute Details

#certificate_authority_arnString? (readonly)

The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within Certificate Manager (ACM) to use for outbound SSL/TLS inspection.

The following limitations apply:

  • You can use CA certificates that you imported into ACM, but you can't generate CA certificates with ACM.
  • You can't use certificates issued by Private Certificate Authority .

For more information about configuring certificates for outbound inspection, see Using SSL/TLS certificates with TLS inspection configurations in the AWS Network Firewall Developer Guide .

For information about working with certificates in ACM, see Importing certificates in the Certificate Manager User Guide .



748
749
750
# File 'network_firewall/cfn_tls_inspection_configuration.rb', line 748

def certificate_authority_arn
  @certificate_authority_arn
end

#check_certificate_revocation_statusAWSCDK::IResolvable, ... (readonly)

When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status.

If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a CertificateAuthorityArn in ServerCertificateConfiguration .



755
756
757
# File 'network_firewall/cfn_tls_inspection_configuration.rb', line 755

def check_certificate_revocation_status
  @check_certificate_revocation_status
end

#server_certificatesAWSCDK::IResolvable, ... (readonly)

The list of server certificates to use for inbound SSL/TLS inspection.



765
766
767
# File 'network_firewall/cfn_tls_inspection_configuration.rb', line 765

def server_certificates
  @server_certificates
end

Class Method Details

.jsii_propertiesObject



767
768
769
770
771
772
773
774
# File 'network_firewall/cfn_tls_inspection_configuration.rb', line 767

def self.jsii_properties
  {
    :certificate_authority_arn => "certificateAuthorityArn",
    :check_certificate_revocation_status => "checkCertificateRevocationStatus",
    :scopes => "scopes",
    :server_certificates => "serverCertificates",
  }
end

Instance Method Details

#to_jsiiObject



776
777
778
779
780
781
782
783
784
785
# File 'network_firewall/cfn_tls_inspection_configuration.rb', line 776

def to_jsii
  result = {}
  result.merge!({
    "certificateAuthorityArn" => @certificate_authority_arn,
    "checkCertificateRevocationStatus" => @check_certificate_revocation_status,
    "scopes" => @scopes,
    "serverCertificates" => @server_certificates,
  })
  result.compact
end